Related Products

Contents

Introduction

This document describes how to install a certificate on a Cisco Catalyst 3850 Series switch or a Cisco 5760 wireless LAN controller (WLC), so that the certificate can be used later for authentication purposes. This is a generic document that focuses on certificate installation on a New Generation Wireless Controller (NGWC) switch.

Installation

When you get a user certificate from a vendor, you usually receive three entities in the Privacy Enhanced Mail (PEM) format:

User certificate

Rivest-Shamir-Adleman (RSA) key

Root certificate

This installation process for the Cisco Catalyst 3850 Series switch and the Cisco 5760 WLC differs from the installation for a Cisco 5508 WLC.

The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.

Commands

These are the commands used in the installation example:

configure terminal

crypto pki trustpoint name

enrollment terminal pem

crypto pki authenticate name

show crypto pki certificates

Procedure

This procedure describes how to install a third-party certificate.

Install the trustpoint with these commands:

configure terminalcrypto pki trustpoint trustp1 <--- trustp1 is a word string any word can be used here.(ca-trustpoint)#enrollment terminal pem(ca-trustpoint)#exit

Authenticate the trustpoint:

Enter the crypto pki authenticate command:

(config)#crypto pki authenticate trustp1

Enter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself

Copy and paste the user certificate; be sure to include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

Press Enter, and type quit.

Trustpoint 'trustp1' is a subordinate CA and holds a non self signed certTrustpoint 'trustp1' is a subordinate CA.but certificate is not a CA certificate.Manual verification requiredCertificate has the following attributes:

Trustpoint 'verisign.com' is a subordinate CA and holds a non self signed certTrustpoint 'verisign.com' is a subordinate CA.but certificate is not a CA certificate.Manual verification requiredCertificate has the following attributes:

% Enter PEM-formatted encrypted private General Purpose key.% End with "quit" on a line by itself.

-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,1E71580604A10032xz3n4/odG8PFwe/FL6lhNmkXUgg09A82kupYuA1jWy4Pmz0gAk7fMTNBnrilk/Uqc2WrM34tdURukNfYv3IbvkGa6QsTQu5sYZ+83Igsdsh0xOw/xJNvs6aaOnF0frNNwiRYOS5QGf9+A98kEw0g66ye04C9XjR39+peSgmAchI4smAF486bK2xDRz1p2EwibL+pqsY61/fYMDQwASRzJkkCi4sG4kQo5c5j3HpAwz3nVoQcj/R3AU7zcywMuVz0qYiU4DcCq0Za6HXQS8vJ0yct10FjoXaDZmgYtj7LbX1c+mJhTPDaPyKC56X3LOBgKAQ0xwIC/ucyBoR02NhlSDoXGvX76W0J6J/jdaam/vcWdO212SEq68FkRNsJr8y/DS7/aU4rhw3pI994essfAgke1oqSx20OzRb4SXy5pfR/yVrlszwDmqOadFYogQxSUR7KruVaXqZBFNhesUnxs5EmIMWsbTe+qbavSJVYUYQus0FTezNWSaLkTTsQaCE2AkhSajND2HwzBrGvMBwObIFgk0000wcwras216uBp3mEGtjqdpmYhY7C5JXzkYUICt8ZY+DJHMF0Uips/JvmglJ7Vr+ixCKa3ZmAf7J9sbJfChRKDAvKXVzVZXkf3W12AAGVNlbTf8xHyFsRA/b/BXJjuJAKSgzbDdHU19GJNh/CjRIgpJyvcRfVK+dirC50r1EsIBP+xuplfQphVTEwHo1+NYPg7sMLFV/vR8tHIlzrJAxtdE/LsXQDHd2XFwuoVMeXTY9t9EhtM4tHOoLlEDOzv/niUocDqKorAd8/arJ4iSQKTtjnlIUCF1TS1LqgU2icCL4/9NL0Ulnuy2DxL1j7u6gNIxGLTuDWgaKR90UwEqLuw2he73pUS2eAIBw6AP7YGKhOqMLa5MlJYHNz6uWDtqBLbNXlTopVcqKk4EWemTSZtRD94ucNsBmH7GBJjuUYPh8mFrvBRDOBe70vche0vzN3ouw3CcVdT6VAuVzns3LFpGxeSbBUyoAV6SD77xHahcoCXAGcff2eXmTWNWocm2sf19Hv4tPrWzfTyKdltHcg+GxPqAOGp5NsGw4DH/61+6tO3lZt73/NIt2jO+sdgQs+MaRqWpOJfwV1bW2/4cjn39qa4jB33QUebuJuzXJdWWK9jfCmZJM7lQVcnGT8xqsC/+mcVY72rYf5QwQDagUcpOirHc+6/ULvYMy7lWPjKlAoZDt1fqnI1kgY+cQkbPBrbBARZ1XhqjKBMuM2oaCU5Bh6ppRIBrBB/+IlDAt43W3/MBOvu9LBC+oPB8MXVeuMYU96Uky1l3hh7YX0iP7Wn9wuwr+jx/NIlStOdNST+pSRIPDgdph2ebRA7zNMruu9/U0+zQH+hJ8KdpGWVe3r4R6aR+FHRYT17rXZJbnlgT/yfIU4QnMTFislbJNbJNZgRWKC55A7kDPshUJ/gB5OIYtB4covXFtEel7godqkmLAc3Pgb6YQnVvHC4kCNtbGSvtPdidQRxMT2nVwFrpn7qI5x9pFp+IW0l5gk-----END RSA PRIVATE KEY-----quit% Enter PEM-formatted General Purpose certificate.% End with a blank line or "quit" on a line by itself.

-----BEGIN CERTIFICATE----- <--- This is the USER CERTIFICATEMIIFczCCBFugAwIBAgIQQRtXHG8Y534dY6EkS6gHiDANBgkqhkiG9w0BAQUFADCBtTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTIwNzIzMDAwMDAwWhcNMTQwODE5MjM1OTU5WjCBpTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1hcnlsYW5kMRIwEAYDVQQHFAlCYWx0aW1vcmUxJzAlBgNVBAoUHlQuIFJvd2UgUHJpY2UgQXNzb2NpYXRlcywgSW5jLjEgMB4GA1UECxQXSW52ZXN0bWVudCBUZWNobm9sb2dpZXMxJDAiBgNVBAMUG3dsZ3Vlc3RjaGVjay50cm93ZXByaWNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJvJpXRzliY8d11vCZcChi2c5uIn0TnUhR8QQrw0kstROJTtmSJpaOVTwOb0HoLgC8lH2VRAIxvxXdi49AQpYoY5z8UxeH29XqKIkYR399K7/L9W9caYwWSjn4eLq1lk0GLmGMtE7T4I2bhssAgfV2+kkpS4RymNUdSgCWzDrm575xyzVCciOGUPjTxpB5U7sWPASqpEvgoX88fPPpTtzTJlXE1n1eRIcbE1z1/wpRxlFH4XMPtL79F8FQTWZ0MvMzyLEriR+dHXxtbBUkCPvgFY7Nruz4Rj5Uk4S33G1EVvExfMF/wa+rtFU4RwlV4DESbrhSFhLeEruFfpzOWhMj0CAwEAAaOCAYswggGHMCYGA1UdEQQfMB2CG3dsZ3Vlc3RjaGVjay50cm93ZXByaWNlLmNvbTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2VjdXJlLUczLWNybC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY3JsMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBQNRFwWU0TBgn4dIKsl9AFj2L55pTB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDovL1NWUlNlY3VyZS1HMy1haWEudmVyaXNpZ24uY29tL1NWUlNlY3VyZUczLmNlcjANBgkqhkiG9w0BAQUFAAOCAQEAReYq+92lCiDX8hG4FyAEsvc1lDEhGUVy0URn8U7nYF7kN4NZdUKHFX86izPYJiC0yB6SsbMtz68tr8OwPFUOzRvPfhzivtn/mL1TcEPjWiItOKmM6vpYayDMv8bbgIf+LL981qS2XV5LSk3ey1zYVVVCqavw2BsvPAcklqvx7stSjQHtAoXeL9WBCfPlI5w/Fd6OP5J6XVBFCHgAauqR5hONWge9M4xh6jDC0kLcrRcFXLbcdtS0DXHVBfBfDipoM2yRDdaVOwfZCrTL3cZA9HLzI3QtPkzLC7RrRP8r3bBkIYMNyGO465fe9IMV3MgTFey8G26mn+R5iG3ddRLhhA==-----END CERTIFICATE-----